Answer-first summary for fast verification
Answer: Create an IAM role that includes Lambda as a trusted service. Attach a policy to the role that allows read and write access to the DynamoDB table. Update the configuration of the Lambda function to use the new role as the execution role.
## Explanation **Correct Answer: B** **Why Option B is the most secure solution:** 1. **IAM Roles for AWS Lambda (Execution Roles)**: AWS Lambda uses IAM execution roles to grant permissions to the function. This is the recommended AWS best practice for Lambda functions. 2. **Temporary Credentials**: When you use an IAM role, AWS automatically provides temporary security credentials to the Lambda function. These credentials are: - Rotated automatically by AWS - Short-lived (typically valid for up to 1 hour) - Never stored in environment variables or code 3. **No Credential Management**: There are no long-term access keys to manage, rotate, or potentially expose. 4. **Trust Relationship**: The role is configured to trust the Lambda service (`lambda.amazonaws.com`), allowing Lambda to assume the role on behalf of the function. **Why other options are less secure:** **Option A**: - Uses IAM user credentials (long-term access keys) - Stores credentials in environment variables (potentially exposed) - Requires manual credential rotation - Credentials could be exposed through Lambda console or API **Option C**: - Still uses IAM user credentials (long-term access keys) - While Parameter Store provides encryption, credentials still need to be retrieved and used - Requires credential rotation management - More complex implementation **Option D**: - Incorrect trust relationship (DynamoDB cannot assume roles for Lambda) - Lambda functions cannot "attach to" roles in code - roles are configured at the function level - Misunderstanding of IAM trust relationships **Best Practice Summary:** - Always use IAM roles for AWS Lambda functions - Never store long-term credentials in Lambda functions - Use execution roles with appropriate permissions - Follow the principle of least privilege - AWS automatically manages temporary credentials for Lambda execution roles
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A serverless application uses Amazon API Gateway, AWS Lambda, and Amazon DynamoDB. The Lambda function needs permissions to read and write to the DynamoDB table.
Which solution will give the Lambda function access to the DynamoDB table MOST securely?
A
Create an IAM user with programmatic access to the Lambda function. Attach a policy to the user that allows read and write access to the DynamoDB table. Store the access_key_id and secret_access_key parameters as part of the Lambda environment variables. Ensure that other AWS users do not have read and write access to the Lambda function configuration.
B
Create an IAM role that includes Lambda as a trusted service. Attach a policy to the role that allows read and write access to the DynamoDB table. Update the configuration of the Lambda function to use the new role as the execution role.
C
Create an IAM user with programmatic access to the Lambda function. Attach a policy to the user that allows read and write access to the DynamoDB table. Store the access_key_id and secret_access_key parameters in AWS Systems Manager Parameter Store as secure string parameters. Update the Lambda function code to retrieve the secure string parameters before connecting to the DynamoDB table.
D
Create an IAM role that includes DynamoDB as a trusted service. Attach a policy to the role that allows read and write access from the Lambda function. Update the code of the Lambda function to attach to the new role as an execution role.